Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1660
Views
5
Helpful
4
Replies

802.1x EAP-TLS + laptops with docking stations

Pakellmute
Level 1
Level 1

‎02-09-2022 05:08 AM

Hello,

 

We are having a trouble with 802.1x authentication. Cisco ISE as RADIUS, Aruba switches as authenticators

Time after time different user gets rejected. I checked Wireshark - when laptop is connected to docking station, it receives "Identity request" from Aruba switch (as the interface is configured for aaa authentication and mac-based authentication), but computer does not respond. After short period of time - another "Identity request" from switch, but no response from laptop. When I plug in cable directly to a laptop - Identity request from switch, response from laptop and everything works fine. 
After short period of time (1-2hours) I connect laptop to docking station - and it works.....

Hundreds of users with docking stations - each day 3-5 different users for no reason gets rejected in this manner.

The problem starts for laptops with docking stations that worked for weeks. 

GPO is pushed to all wired interfaces (with Fast Startup disabled) and there should be no problem.

Any suggestions?

Labels:
0 Helpful
4 Replies 4

Arne Bier
VIP
VIP

‎02-09-2022 12:54 PM

Hello @Pakellmute 

 

When you say "computer does not respond" does that mean that you were at least able to confirm that the RADIUS comms between the Aruba switch and ISE is OK? In other words, ISE replies with an Access-Accept? And is that sufficient to put that switch port into a mode to allow the PC to send traffic? 

You mention 802.1X and then MAC based authentication on the switch - surely the switch is processing the EAPOL frames from the Windows client? Can you see that in ISE? 

The other thing to note is that with docking stations, each time you connect to one, Windows builds a new "Ethernet" interface (e.g. "Ethernet 3") - which means that all of your supplicant configurations will have been lost (if configured on "Ethernet 0") - unless I am mistaken 

0 Helpful

Pakellmute
Level 1
Level 1

‎02-11-2022 12:22 AM

Hello, @Arne Bier,

Thank you for your response.
Yes, communication between Aruba switch and Cisco ISE is okay, ISE replies with an Access-Accept.

When user authentication stops working with docking station (even though it used to work for weeks) - you can see my attached .png file the difference in wireshark. And as I mentioned before - it happens everyday for different users..
Yes, I checked NIC configuration when laptop is connected with docking - GPO configuration is pushed and it should respond with a certificate. 


 

Preview file
75 KB

TimJenkins
Level 1
Level 1
In response to Pakellmute

‎01-22-2024 06:37 AM

Hi, did you ever find a resolution to this out of Interest ? 

0 Helpful

ahollifield
VIP
VIP
In response to TimJenkins

‎01-22-2024 09:57 AM

I would suggest starting a new thread as this discussion is from 2022.  However, in my experience most of these USB docking station issues have been solved with driver updates for the docking station.  In one case though, the customer had to replace all of the docking stations.

0 Helpful
Customers Also Viewed These Support Documents